Shawn McCarthy | The myths and realities of standard configuration

The Federal Desktop Core Configuration (FDCC) is a security mandate and a push toward PC standardization by the Office of Management and Budget. It will affect thousands of PCs in most federal agencies.

The deadline for migration to the FDCC ' for all Windows XP and Vista computers ' is less than three months away.

In spite of the short time frame, there is still considerable confusion about what compliance with the FDCC means and how agencies should transition to the approved configuration.

A government network manager recently told me he was under the impression he had to migrate every computer on his network, which isn't true.

To help clarify what the FDCC requires, I collected the following details from the National Institute of Standards and Technology, OMB and other government sources.

The mandate applies only to certain desktop and laptop PCs. It does not apply to servers, mainframes or routers.

It applies only to select Microsoft Windows operating systems. It does not apply at this time to Macintosh computers, Linux client machines or any other personal computer OS.

Because no approved configuration exists for Windows 98, 2000, ME or other versions, these operating systems cannot be brought into compliance. But there is no retirement date for these older machines.

If it's possible to upgrade an older machine to allow it to run one of the approved configurations, it's not a bad idea to make this transition because you may tighten security. But it's not required.

The XP configuration is based on an Air Force customization of the Specialized Security-Limited Functionality recommendations in NIST's Special Publication 800-68 plus Defense Department customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0.

The Vista configuration is based on DOD customization of the Microsoft Security Guides ' which apply to Vista and Internet Explorer 7.0 ' with input from the Defense Information Systems Agency, the National Security Agency and NIST.

Any Windows XP Professional or Vista machine in service in the federal government must be brought into compliance with the approved FDCC by Feb. 1. Any machine purchased after Feb. 1 must comply.

An easy solution is to fully re-image each PC using the .INF files available from NIST and Microsoft. But re-imaging might be impractical, so detailed assessments and possibly full scans of all computers must be conducted. Scans should generate reports of what is needed to bring PCs into compliance.

Automated configuration management could be important for larger networks to assure long-term compliance. Such management tools will also be handy for the ongoing migration to IPv6.

Agencies must apply for waivers for deviations from the standard, including documentation of why the changes are required.

Vendor products must not alter the standard configuration, and software and hardware products must operate as intended within the federal secure configuration.